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Abstract 

Subsets of F2 that are e-biased, meaning that the parity of any set of 
bits is even or odd with probabihty e close to 1/2, are powerful tools for 
derandomization. A simple randomized construction shows that such sets 
exist of size 0(n/e^), and known deterministic constructions achieve sets 
of size 0{n/e^), 0{n^ /e^), and 0((n/e^)^/'*). Rather than derandomizing 
these sets completely in exchange for making them larger, we attempt a 
partial derandomization while keeping them small, constructing sets of 
size 0(n/e^) with as few random bits as possible. The naive randomized 
construction requires 0(n^/e^) random bits. We give two constructions. 
The first uses Nisan's space-bounded pseudorandom generator to partly 
derandomize a folklore probabilistic construction of an error-correcting 
code, and requires 0(n log(l/e)) bits. Our second construction requires 
0(n log(n/e)) bits, but is more elementary; it adds randomness to a Leg- 
endre symbol construction on Alon, Goldreich, Hastad, and Peralta, and 
uses Weil sums to bound high moments of the bias. 

1 Introduction 

Derandomization is the art of replacing random choices with deterministic ones. 
In many cases, we can accomplish this by finding explicit constructions of com- 
binatorial objects that "look random" in some sense. In particular, say a set 
5* C F2 fools a function / if 



< £. 



for some small e. If there are families of sets of polynomial size that we can 
construct in polynomial time, such that for each constant c we can fool every 
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/ G TIME(n'^) with e sufficiently small, then every polynomial-time randomized 
algorithm can be derandomized and P = BP P. 

In a number of applications, even sets that fool linear functions are useful [T]. 
In , any such function is the parity of some subset of cc's coordinates. Let 
X and let T C [n]. The parity of the bits of x indexed by T is 



This is the same as saying that xs^ the characteristic function of 5, has a nearly 
flat Fourier spectrum: if we normalize it to (l/|S'|)xs, it has no coefficients 
greater than e in absolute value. As a consequence, sampling a function on 
S gives a good approximation of its expectation if its Fourier spectrum has 
bounded ii norm. In addition, e-biased sets are important building blocks in 
other pseudorandom constructions; for instance, if e = n^'^ for c > 0, then an 
e-biased set is also approximately 0(logn)-wise independent. 

There is a nice duality between e-based sets and linear error-correcting 
codes [3]. Given an e-biased set S, the truth table of each parity function frix) 
is a string in . Each such string is nearly balanced, with Hamming weight 
between (1 — e)|S'|/2 and (1 -|- e)|5'|/2. The set of parity functions has rank n, 
so an e-biased set 5 € Fj yields a (|S'|, n, d) code, i.e., a code of length l^l, rank 
n, and distance d = {1 — e)|5'|/2. As a consequence, we can lower bound the 
size of an e-biased set using sphere-packing arguments. As long as e is not too 
small, and in particular if e = l/poly(n), this gives \S\ — r2(ri/(e^ loge^^)) [5]. 

This lower bound is essentially tight, since we can construct an e-biased set 
by choosing 0(n/e^) elements of F2 uniformly and independently. Equivalently, 
a random error-correcting code meets the Gilbert- Varshamov bound with high 
probability. Of course, this requires n\S\ = 0(n^/e^) random bits. Under the 
reasonable assumption that TIME(2'^("') ^ SPACE (2'^'^"^), this construction can 
be generically derandomized [J. But, as always, we are interested in derandom- 
ized constructions that work even in the absence of complexity assumptions. 

Starting with [I], several deterministic constructions have been discovered, 
yielding e-biased sets of size polynomial in n and 1/e. Depending on how e 
scales with n, the best known constructions [H [S] yield sets of size 0{n/e^), 
0{rv^/e^), and 0((?T./e^)^/^). The construction of [5] is especially notable; it 
applies Bezout's theorem from algebraic geometry, and achieves a set whose 
size is the 5 /4 power of the optimum. 




We say that S is e-biased if, for all T 7^ 0, 



Pr [frix) - 0] - Pr [/t(x-) = 1] < e . 



Equivalently, if we identify Fj with {±1}" in the natural way, then 




E 4't{x) < e where 4>t{x) = I I a^i . 
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Tradeoffs between randomness and the quality of a combinatorial object is a 
classic topic in theoretical computer science. Here, we explore a different part of 
the randomness-size plane. Rather than reducing the amount of randomness to 
zero at the cost of making the set larger, we ask how much randomness we need 
to construct a set of optimal size, or equivalently what spaces we can succinctly 
describe that are guaranteed to contain at least one e-biased set of optimal size. 

Specifically, we give two randomness-efficient constructions of e-biased sets 
of size 0(n/e^). While neither construction offers a witness that the resulting set 
is indeed e-biased, both succeed with probability arbitrarily close to 1. The first 
uses 0{n log(l/e)) random bits, using Nisan's space-bounded generator to partly 
derandomize a construction of random error-correcting codes. The second uses 
0{n log(n/e)) bits but is more elementary, and has a pleasant algebraic flavor: it 
works by "re-randomizing" a construction in [2| involving the Legendrc symbol, 
and we use Weil sums to bound high moments of the bias. Note that if e = n~'^ 
for c > 0, then in both constructions the number of random bits we need is 
much smaller than the set itself. 

2 A random error-correcting code and Nisan's 
generator 

First we review a simple folklore construction of a random linear error-correcting 
code whose distance is very close to half its length; this corresponds to an e- 
biased set using the duality mentioned above. This construction already does 
noticeably better than the naive one, using 0(151) = 0{n/e'^) random bits. 
We then derandomize it further using a standard space-bounded pseudorandom 
generator, reducing the number of random bits to 0(n log(l/e)). 

Let m> n and consider the finite field F2™. We can identify each x € 
with an element of F2™ in a way that preserves the additive structure of Fj by 
setting all but the last n bits to zero. For any fixed a G F^, we can then define 
a set of codewords in F2 x F2™ , 



Since multiplication by a is a linear function, Cq, is closed under addition, mak- 
ing it a linear code. It has rank n and length n + m. We will show that, if 
a S F2m is uniformly random and m/n is sufficiently large, then Ca has dis- 
tance (1 — £){n + m)/2 with high probability, in which case it corresponds to an 
e-biased set of size n -f m. Equivalently, the Hamming weight \'Wx\ = \x\ + \ax\ 
of every nonzero codeword is at least (1 — e)(n -I- m)/2. 

For each nonzero x G Fj, ax is uniformly random in F2m since a is. Let 
5 < 1/2. By the union bound, the probability that there is an x ^ such that 
\wx\ < S{n + ™) is at most 



{x,ax) I X e ¥'^} . 
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where we sum over k = \x\ and j — \ax\. This sum has at most terms, and 
the summand is maximized when k ^ Sn and j = Sm, so 



P<n^ 2-'" < 2-" e''(*)("+'") , (1) 

\on ) \dm J 

where h{6) ~ —S\nS — (1 — (5) ln(l — S) denotes the entropy function. 
Now if (5 = (1 — e)/2, the Taylor series gives 

/i(,5)<ln2-y, 
P <n^ e"'"^^(^''/^)("+™^ . 



and ([T]) becomes 
If we set 



for some constant A > 21n2, then P = 2~^("^. Thus Cq, has distance (1 — + 
m)/2 with high probabihty, giving an e-biased set of size n + to = Oinje^). 

To choose a. uniformly would take to = 0(n/e^) random bits. However, 
we can do better by applying a pseudorandom generator for space-bounded 
computation. First, let us modify the construction somewhat, using t = m/n = 
0(l/e^) blocks of n bits each. Rather than choosing a from F2m, we write 
a = (ai, . . . , at) where € for each i. We then define each codeword as a 
concatenation of t + 1 blocks, 

Ca = = (a;, aix, 0,2^, . . . , atx) \ x G F2.. } . 

If the ai are uniformly random in then so is aix^ and the probability that 
any Wx has Hamming weight less than (1 — £)(n-t-TO)/2 is 2"^'"^ just as before. 

Now note that, for each x G F2" , there is a branching program with states 
{0, . . . , n + to} that takes ai, . . . , at as input and computes the total Hamming 
weight of Wx- Its initial state is |a;|, on the ith step it reads ai and increments its 
state by the weight of aiX, and it accepts if \wx\ > (1 — e)(n + to)/2. Our goal 
is to fool Bx with a pseudorandom sequence of tn bits, in such a way that the 
probability distribution of its final state has a total variation distance o(2~") 
from the distribution induced by uniformly random ai. Taking a union bound 
over all x, the probability that any Bx rejects, i.e., that any Wx has Hamming 
weight less than (1 — e)(n + to)/2, is then o(l) just as if the ai were uniform. 
In that case, Ca is again an error-correcting code of distance (1 — e){n + m)/2 
with high probability. 

We do this with Nisan's pseudorandom generator for space-bounded compu- 
tation. Say that / : {0, 1}^ — > {0, 1}''* is a pseudorandom generator for block size 
b and space s with parameter S and seed length £ if, for all branching programs 
B that read b bits at each step, take t steps, and have width at most 2^*, 



Pr [-B(/(7)) accepts] — Pr \B{a) accepts 
7e{o,i}' aelo,!}" 



Then Lemma 3 of |^ states the following, in slightly different notation: 
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Lemma 1. Let t < 2"'/^°. Then there is an exphcit pseudorandom generator / 
for block size b and space 5/20 with parameter 2^''/^° and seed length 0(61ogt). 

In our case, to match the union bound over all 2" possible x we want the 
parameter 6 to be, say, 2~^". To this end, we modify Bx so that it reads b = 40n 
bits at each step, ignoring all but n of them. Then [6J gives a pseudorandom 
generator with seed length 0{n\ogt) = 0(nlog(l/£)). 

Indeed, the space our branching program needs is just log(n + rn + 1) = 
0(log(n/e)), far smaller than the 6/20 = 0(n) allowed by the lemma. More- 
over, if we think of as computing \wx\ mod (n + m + 1) (note that \wx\ 
will never actually wrap around) it becomes a permutation branching program. 
Furthermore, for uniform inputs we know the probability distribution on the 
program's states exactly, namely the binomial distribution. 

It is tempting to think that these facts allow us to reduce the randomness still 
further, say to 0(n + log(l/e)). However, to our knowledge even the best known 
derandomization results on branching programs under various assumptions [7l 
[8j[9l[T0] require 51( (log 1/(5) (log f)) random bits, even for constant width. Since 
S = 2^^(") and t = Q{l/e^), this again gives n{n\og{l/e)) random bits. 

3 A construction using the Legendre symbol and 
Weil sums 

Here we present another construction, which uses 0(nlog(n/e)) random bits. If 
e is fairly large, say e = l/n°^^\ then this uses O(logn) more randomness than 
the previous construction. However, it is elementary and extremely explicit, and 
lets us invoke some pretty algebra. 

First we recall the definition of the Legendre symbol. Given a prime q, let g 
be a primitive root, i.e., a multiplicative generator of . Then let x : Fg — >■ R 
be defined as follows: 

{+1 ii X — z'^ for some z =^ 
— 1 ii X ~ gz^ for some z ^ 
if a; = , 

This is the quadratic multiplicative character of F^ , extended to F^ by setting 
X(0) = 0. Thus x{xy) = x{x)x{y) for ah x,y e Wg. 

Alon, Goldreich, Hastad, and Peralta ^ used the Legendre symbol to con- 
struct an e-biased set as follows. For each x ^¥q, consider the sequence 

w{x) = {x{x + l),x{x + 2),..., x{x + n)) . 

Mapping {±1} to {0, 1} gives an element Fj ; if a; + z = 0, we define 'w{x)i — 1. 
Their set is then 

S = {wix) \x£¥g}. 
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Except for a small error due to the rare case where x + i = 0, the bias of S with 
respect to T C [n] is then 



{x + i) 



If we write 



then p{x) is a polynomial of degree \T\ < n. In that case, the bias is a Weil 
sum, which we can bound using the following classic theorem: 

Theorem 1 (Weil). Let p{x) G ^q[x] be a non-square polynomial of degree d. 
Then 



< 



Since d < n, the bias is bounded by |6t| < n/^. This gives an e-biased set 5 
of size q = v? je^ . 

Our approach is to "re-randomize" this construction. Rather than taking n 
consecutive Legendre symbols, we let S = (si, . . . , s„) € be a collection of 
n "shifts." For each x G F,, these shifts let us extract n bits from the Legendre 
symbol sequence, giving a string 

(x(a; + si), x(a; + ^2), . • . , x(a; s„)) . 

In return for choosing these shifts randomly, we get to use a field Fg considerably 
larger than the set itself. We then show that S is e-biased with high probability 
in S by using Theorem [T] to control high moments of the bias. 

Let X C Fg be an arbitrary set of size such as {1, . . . , £}. Letting x range 
over X yields a set 

S = {w{x) |xeX}CF^, 

with \S\ — £. Assume for now that x + Sj 7^ for a\\ x G X and all j e [n\. 
Then the bias S with respect to T C [n] is 



hr = 



E n X{x - s,) 



xex 



We will show that, with high probability in S, this bias is small for all T 7^ 0. 
To this end, we bound its 2/jth moment for some k to be determined below. 
Expanding its 2fcth power gives products of the form 



2k 



Y[Ylx{xt- Sj), 

t=ijeT 



(2) 



6 



averaged over all tuples {xi, . . . ,X2k} S X^*^. For each x £ X, let N{x) be the 
number of times that x appears in this tuple. If N{x) is even for all x, then 
this product is a square, and is 1 regardless of the Sj. Taking the union bound 
over all {2k — 1)!! = {2k — l){2k — 3) • • • 3 • 1 perfect matchings of 2k objects, the 
probability that this occurs — given that all f^*^ tuples {xi, . . . , X2k} are equally 
likely — is at most 



{2k - 1) 



(2fc)! 
2''k\t^ 



< V2 



where we used a form of Stirling's inequality. 

On the other hand, if N{x) is odd for some x e Jf, the product ([2]) can be 
written 

Wx{Px^,...,X2k{Sj)) , 

where 

px^,...,x2As) = n (2^-*) 

a;:A'(a;) odd 

is a polynomial of degree at most 2k. In that case, since the Sj are independent 
and uniform in Fg , Theorem [1] gives 



J6T 



E X{Px,.,...,X2k{s)) 



< 



2k- 1 



Putting this all together, we have 



2k 



E^ n " *j 

2fe 



a;i,...,a;2fc S 



< Pr [^(2^) even for all x] 

{xi,...,X2k} 



E 

Xi,...,X2k 



2k 



t=i]eT 



N{x) odd for some x 



Markov's inequality gives 



(3) 



Pr[|6T| > £] = Pr[6f > < 



i'S Of 
c.2fc 



(4) 
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We now set q — 4(e£)^, making the field quadratically larger than \S\ — I. We 
also set k — |r|, using the 2/cth moment to control parities of weight k. Then 
combining and dH) gives, for any |T| > 1, 

Pr[|6T| > e] < 2 ' ' ' 



Taking a union bound over all T 7^ and using < (en/|r|)l-^l, the proba- 
bility that any nontrivial parity has bias greater than e is at most 

^P.M>...i:(,;,)(fflf..E(|i)r ,s, 

T=f^Z \T\ = \ ^11^^ ^ |T| = 1 ^ ' 

If we set 

6n 
&2 ' 



where (5 < 1, then bounding ([S]) with a geometric series gives 



so the set S is e-biased with probability 1 — (5. Finally, our assumption that 
a; + Sj 7^ for all a; € X and all j G [71] holds with probability \ — nljq = 

l-0((5£2). 

How much randomness do we need for this construction? We have to select 
the shifts si, . . . , s„ independently and uniformly from Fq, and 



Thus the number of random bits we need is 

n\o%q = 0[nlog{n/e)) 



4 Further derandomization? 

Can we do better? Our approach has a natural barrier at n random bits; since 
we take a union bound over all 2" index sets T, we need a probability space of 
size at least 2". Thus any further derandomization, say to o{n) random bits, 
would have to bound the bias for many parities simultaneously. 

The situation is similar for constructing optimal Ramsey graphs, i.e., edge- 
colored complete graphs on n vertices such that the largest monochromatic 
clique has size less than k = 21ogn. As pointed out in we can do this 
by choosing the coloring from a (2) -wise e-biased distribution, i.e., a family of 
functions from the set of edges to {0, 1} such that the parity of any set of (2) or 
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fewer edges is odd with probability e-close to 1/2. li e = 2^^ , the probabihty 
that a given chque of size k is monochromatic is o(l/(^')). So, by the union 
bound, with high probabihty there are no monochromatic chques of size k. 

We can generate such famihes [2] with 0(loglogn+(2)+loge~^) = O(log^n) 
random bits. Since we need a probabihty space of size (l) = 2"(i°s ") for 
the union bound over aU (^) chques to work, this is tight — unless we can do 
better than the union bound, ensuring simultaneously that many cliques are 
bichromatic. It is an interesting open question whether this can be reduced 
to, say, O(logn) random bits, in which case there are explicit graph families of 
polynomial size guaranteed to consist largely of optimal Ramsey graphs. 
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